The Hacker News — Cyber Security, Hacking, Technology News

Microsoft's Patch Tuesday for this month falls the day before the most romantic day of the year.

Yes, it's Valentine's, and the tech giant has released its monthly security update for February 2018, addressing a total of 50 CVE-listed vulnerabilities in its Windows operating system, Microsoft Office, web browsers and other products.

Fourteen of the security updates are listed as critical, 34 are rated as important, and 2 of them are rated as moderate in severity.

The critical update patches serious security flaws in Edge browser and Outlook client, an RCE in Windows' StructuredQuery component, and several memory corruption bugs in the scripting engines used by Edge and Internet Explorer.

Critical Microsoft Outlook Vulnerability

One of the most severe bugs includes a memory corruption vulnerability (CVE-2018-0852) in Microsoft Outlook, which can be exploited to achieve remote code execution on the targeted machines.

In order to trigger the vulnerability, an attacker needs to trick a victim into opening a maliciously crafted message attachment or viewing it in the Outlook Preview Pane. This would allow the arbitrary code inside the malicious attachment to execute in the context of the victim's session.

If the victim is logged on with administrative user rights, the attacker could take control of the affected system, eventually allowing them to install programs, create new accounts with full user rights, or view, change or delete data.

"What’s truly frightening with this bug is that the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution," explained the Zero Day Initiative (ZDI).

"The end user targeted by such an attack doesn’t need to open or click on anything in the email – just view it in the Preview Pane. If this bug turns into active exploits – and with this attack vector, exploit writers will certainly try – unpatched systems will definitely suffer."

The second Outlook vulnerability (CVE-2018-0850), rated as important, is a privilege escalation flaw that can be leveraged to force the affected version of Outlook to load a message store over SMB from a local or remote server.

Attackers can exploit the vulnerability by sending a specially crafted email to an Outlook user, and since the bug can be exploited when the message is merely received (before it is even opened), the attack could take place without any user interaction.

"Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email," Microsoft explains in its advisory. "This update addresses the vulnerability by ensuring Office fully validates incoming email formatting before processing message content."

Both the Outlook vulnerabilities have been discovered and reported to the tech giant by Microsoft's researcher Nicolas Joly and former Pwn2Own winner.

Critical Microsoft Edge Vulnerability

Another critical flaw, which is an information disclosure vulnerability (CVE-2018-0763), resides in Microsoft Edge that exists due to Microsoft Edge's improperly handling of objects in the memory.

An attacker can exploit this vulnerability to successfully obtain sensitive information to compromise the victim's machine further.

"To exploit the vulnerability, in a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability," Microsoft explains.

"However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could trick a user into clicking a link that takes the user to the attacker's site."

Other critical issues include several Scripting Engine Memory Corruption vulnerabilities in Microsoft Edge that could be exploited to achieve remote code execution in the context of the current user.

Microsoft Edge flaw (CVE-2018-0839), rated as important, is an information disclosure vulnerability that exists due to Microsoft Edge improper handling of objects in the memory.

Successful exploitation of the bug could allow attackers to obtain sensitive information to compromise the user's system further.

Internet Explorer also got a patch to address an information disclosure vulnerability (CVE-2018-0847), rated important, that would let a webpage use VBScript to fetch stored information from memory.

Publicly Disclosed Vulnerability Before Being Patched

Although the list of patched vulnerabilities does not include any zero-day flaws, one of the security flaws (CVE-2018-0771) in Microsoft Edge was publicly known before the company released patches, but was not listed as being under active attack.

Listed as Moderate, the issue is a Same-Origin Policy (SOP) bypass vulnerability which occurs due to Microsoft Edge's improper handling of requests of different origins.

The vulnerability could allow an attacker to craft a webpage to bypass the SOP restrictions and get the browser to send data from other sites--requests that should otherwise be ignored due to the SOP restrictions on place.

Meanwhile, Adobe on Tuesday also released security updates for its Acrobat, Reader and Experience Manager products to address a total of 41 security vulnerabilities, out of which 17 are rated as critical and 24 important in severity.

Users are strongly advised to apply security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.

For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

Two days ago when infosec bods claimed to have uncovered what's believed to be the first case of a SCADA network (a water utility) infected with cryptocurrency-mining malware, a batch of journalists accused other authors of making fear-mongering headlines, taunting that the next headline could be about cryptocurrency-miner detected in a nuclear plant.

It seems that now they have to run a story themselves with such headlines on their website because Russian Interfax News Agency yesterday reported that several scientists at Russia's top nuclear research facility had been arrested for mining cryptocurrency with "office computing resources."

The suspects work as engineers at the Russian Federation Nuclear Center facility—also known as the All-Russian Research Institute of Experimental Physics—which works on developing nuclear weapons.

The center is located in Sarov, Sarov is still a restricted area with high security. It is also the birthplace of the Soviet Union's first nuclear bomb.

In 2011, the Russian Federation Nuclear Center switched on a new supercomputer with a capacity of 1 petaflop, making it the twelfth most powerful in the world at the time.

According to Russian media reports, the engineers had tried to use one of Russia's most powerful supercomputers housed in the Federal Nuclear Center to mine Bitcoins.

The suspects were caught red-handed while attempting to connect the lab's supercomputer to the internet, which was supposed to be offline to ensure security, the nuclear center's security department was alerted.

Once caught, the engineers were handed over to the Federal Security Service (FSB).

"There has been an unsanctioned attempt to use computer facilities for private purposes including so-called mining," Tatyana Zalesskaya, head of the Institute's press service, told Interfax news agency.

"Their activities were stopped in time. The bungling miners have been detained by the competent authorities. As far as I know, a criminal case has been opened regarding them," Zalesskaya added, without revealing the exact number of employees detained.

The Federal Security Service (FSB) has yet to issue a statement on the arrests and criminal charges.

Cryptocurrency has gained tremendous popularity over the past year. Mining a single Bitcoin is not an ice cakewalk, as it requires an enormous amount of computational power and huge amounts of energy.

According to media reports, Russia is becoming a hotbed of cryptocurrency mining due to its low-cost energy reserves. One Russian businessman, Alexey Kolesnik, reportedly also bought two power stations exclusively to generate electricity for Bitcoin-mining data centers.

WordPress version 4.9.3 was released earlier this week with patches for a total 34 vulnerabilities, but unfortunately, the new version broke the automatic update mechanism for millions of WordPress websites.

WordPress team has now issued a new maintenance update, WordPress 4.9.4, to patch this severe bug, which WordPress admins have to install manually.

According to security site WordFence, when WordPress CMS tries to determine whether the site needs to install an updated version, if available, a PHP error interrupts the auto-update process.

If not updated manually to the latest 4.9.4 version, the bug would leave your website on WordPress 4.9.3 forever, leaving it vulnerable to future security issues.

Here's what WordPress lead developer Dion Hulse explained about the bug:

"#43103-core aimed to reduce the number of API calls which get made when the auto-update cron task is run. Unfortunately, due to human error, the final commit didn't have the intended effect and instead triggers a fatal error as not all of the dependencies of find_core_auto_update() are met. For whatever reason, the fatal error was not discovered before 4.9.3's release—it was a few hours after release when discovered."

The issue has since been fixed, but as reported, the fix will not be installed automatically.

Thus, WordPress administrators are being urged to update to the latest WordPress release manually to make sure they'll be protected against future vulnerabilities.

To manually update their WordPress installations, admin users can sign into their WordPress website and visit Dashboard→Updates and then click "Update Now."

After the update, make sure that your core WordPress version is 4.9.4.

However, not all websites being updated to the faulty update have reported seeing this bug. Some users have seen their website installed both updates (4.9.3 and 4.9.4) automatically.

Moreover, the company released two new maintenance updates this week, but none of them includes a security patch for a severe application-level DoS vulnerability disclosed last week that could allow anyone to take down most WordPress websites even with a single machine.

Since WordPress sites are often under hackers target due to its wide popularity in the content management system (CMS) market, administrators are advised to always keep their software and plugins up-to-date.

Virtual Private Network (VPN) is one of the best solutions you can have to protect your privacy and data on the Internet, but you should be more vigilant while choosing a VPN service which truly respects your privacy.

If you are using the popular VPN service Hotspot Shield for online anonymity and privacy, you may inadvertently be leaking your real IP address and other sensitive information.

Developed by AnchorFree GmbH, Hotspot Shield is a VPN service available for free on Google Play Store and Apple Mac App Store with an estimated 500 million users around the world.

The service promises to "secure all online activities," hide users' IP addresses and their identities and protect them from tracking by transferring their internet and browsing traffic through its encrypted channel.

However, an 'alleged' information disclosure vulnerability discovered in Hotspot Shield results in the exposure of users data, like the name of Wi-Fi network name (if connected), their real IP addresses, which could reveal their location, and other sensitive information.

The vulnerability, assigned CVE-2018-6460, has been discovered and reported to the company by an independent security researcher, Paulos Yibelo, but he made details of the vulnerability to the public on Monday after not receiving a response from the company.

According to the researcher claims, the flaw resides in the local web server (runs on a hardcoded host 127.0.0.1 and port 895) that Hotspot Shield installs on the user's machine.

This server hosts multiple JSONP endpoints, which are surprisingly accessible to unauthenticated requests as well that in response could reveal sensitive information about the active VPN service, including its configuration details.

"http://localhost:895/status.js generates a sensitive JSON response that reveals whether the user is connected to VPN, to which VPN he/she is connected to what and what their real IP address is & other system juicy information. There are other multiple endpoints that return sensitive data including configuration details," Yibelo claims.

"User-controlled input is not sufficiently filtered: an unauthenticated attacker can send a POST request to /status.js with the parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine," the vulnerability description reads.

Yibelo has also publicly released a proof-of-concept (PoC) exploit code—just a few lines of JavaScript code—that could allow an unauthenticated, remote attacker to extract sensitive information and configuration data.

However, ZDNet reporter Zack Whittaker tries to verify researcher's claim and found that the PoC code only revealed the Wi-Fi network name and country, but not the real IP address.

In a statement, AnchorFree spokesperson acknowledged the vulnerability but denied the disclosure of real IP address as claimed by Yibelo.

"We have found that this vulnerability does not leak the user's real IP address or any personal information, but may expose some generic information such as the user's country," the spokesperson told ZDNet.

The researcher also claims that he was able to leverage this vulnerability to achieve remote code execution.

Hotspot Shield also made headlines in August last year, when the Centre for Democracy and Technology (CDT), a US non-profit advocacy group for digital rights, accused the service of allegedly tracking, intercepting and collecting its customers' data.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

The growing popularity of Bitcoin and other cryptocurrencies is generating curiosity—and concern—among security specialists. Crypto mining software has been found on user machines, often installed by botnets. Organizations need to understand the risks posed by this software and what actions, if any, should be taken.

To better advise our readers, we reached out to the security researchers at Cato Networks. Cato provides a cloud-based SD-WAN that includes FireWall as a Service (FWaaS). Its research team, Cato Research Labs, maintains the company's Cloud IPS, and today released a list of crypto mining pool addresses that you can use as a blacklist in your firewall. (To download the list, visit this page.)

Cato Research Labs determined crypto mining represents a moderate threat to the organization. Immediate disruption of the organization infrastructure or loss of sensitive data is not likely to be a direct outcome of crypto mining.

However, there are significant risks of increased facility cost that must be addressed.

Understanding Blockchain and Crypto Mining

Crypto mining is the process of validating cryptocurrency transactions and adding encrypted blocks to the blockchain. Miners solve a hash to establish a valid block, receiving a reward for their efforts. The more blocks mined, the more difficult and resource-intensive becomes solving the hash to mine a new block.

Today, the mining process can require years with an off-the-shelf computer. To get around the problem, miners use custom hardware to accelerate the mining process, as well as forming "mining pools" where collections of computers work together to calculate the hash.

The more compute resources contributed to the pool, the greater the chance of mining a new block and collecting the reward. It's this search for more compute resources that have led some miners to exploit enterprise and cloud networks.

Participating in mining pools requires computers run native or JavaScript-based mining software (see Figure 1). Both will use the Stratum protocol to distribute computational tasks among the computers in the mining pool using TCP or HTTP/S (technically, WebSockets over HTTP/S).

Figure 1: An example of a website running JavaScript-based mining software. Typically, websites do not ask for permission.

Native mining software will typically use long-lasting TCP connections, running Stratum over TCP; JavaScript-based software will usually rely on shorter-lived connections and run Stratum over HTTP/S.

The Risk Crypto Mining Poses to the Enterprise

Mining software poses a risk to the organization on two accounts. In all cases, mining software is highly compute-intensive, which can slow down an employee’s machine. Running CPUs with a “high-load” for an extended period of time will increase electricity costs and may also shorten the life of the processor or the battery within laptops.

Mining software is also being distributed by some botnets. Native mining software accesses the underlying operating system in a way similar to how botnet-delivered malware exploits a victim’s machine. As such, the presence of native mining software may indicate a compromised device.

How To Protect Against Crypto Mining

Cato Research Labs recommends blocking crypto mining on your network. This can be done by disrupting the process of joining and communicating with the mining pool.

The deep packet inspection (DPI) engine in many firewalls can be used to detect and block Stratum over TCP. Alternatively, you can block the addresses and domains for joining public mining pools.

Approach 1: Blocking Unencrypted Stratum Sessions with DPI

DPI engines can disrupt blockchain communications by blocking Stratum over TCP. Stratum uses a publish/subscribe architecture where servers send messages (publish) to subscribed clients. Blocking the subscription or publishing process will prevent Stratum from operating across the network.

A subscription request to join a pool will have the following entities: id, method, and params (see Figure 3). Configure DPI rules to look for these parameters to block Stratum over unencrypted TCP.

{"id": 1, "method": "mining.subscribe", "params": []}

Three parameters are used in a subscription request message when joining a pool.

Approach 2: Blocking Public Mining Pool Addresses

However, some mining pools create secure, Stratum channels. This is particularly true for JavaScript-based applications that often run Stratum over HTTPS.

Detecting Stratum, in that case, will be difficult for DPI engines who do not decrypt TLS traffic at scale. (For the record, Cato IPS can decrypt TLS sessions at scale.) In those cases, organizations should block the IP addresses and domains that form the public blockchain pools.

To determine the IP addresses to block, look at the configuration information needed to join a mining pool. Mining software requires miners to fill in the following details:

Organizations could configure firewall rules to use a blacklist and block the relevant addresses. In theory, such a list should be easy to create as the necessary information is publicly available. Most mining pools publish their details over the Internet in order to attract miners to their networks (see Figure 4).

Figure 4: Public addresses for mining pools are well advertised as demonstrated by mineXMR.com’s “Getting Started” page

Despite extensive research, though, Cato Research Labs could not find a reliable feed of mining pool addresses. Without such a list, collecting the target mining pool addresses for blocking would be time-consuming.

IT professionals would be forced to manually enter in public addresses, which will likely change or increase, requiring constant maintenance and updates.

Cato Research Labs Publishes List of Mining Pool Addresses

To address the issue, Cato Research Labs generated its own list of mining pool addresses for use by the greater community. Using Google to identify sites and then employing scraping techniques, Cato researchers were able to extract pool addresses for many mining pools.

Cato researchers wrote code that leveraged those results to develop a mining-pool address feed. Today, the list identifies hundreds of pool addresses (see Figure 5) and should be suitable for most DPI rule engines. See here for the full list.

Final Thoughts

The combined risk of impairing devices, increasing costs, and botnet infections led Cato Research Labs to strongly recommend IT prevent and remove crypto mining from enterprise networks.

Should software-mining applications be found on the network, Cato Research Labs strongly recommends investigating active malware infections and cleaning those machines to reduce any risk to organization's data.

Cato Research Labs provided a list of address that can be used towards that goal, blocking access to public blockchain pools. But there's always a chance of new pools or addresses, which is why Cato Research Labs strongly recommend constructing rules using a DPI engine with sufficient encrypted-session capacity.

More than 2,000 WordPress websites have once again been found infected with a piece of crypto-mining malware that not only steals the resources of visitors' computers to mine digital currencies but also logs visitors' every keystroke.

Coinhive is a popular browser-based service that offers website owners to embed a JavaScript to utilise CPUs power of their website visitors in an effort to mine the Monero cryptocurrency.

Sucuri researchers said the threat actors behind this new campaign is the same one who infected more than 5,400 Wordpress websites last month since both campaigns used keylogger/cryptocurrency malware called cloudflare[.]solutions.

Spotted in April last year, Cloudflare[.]solutions is cryptocurrency mining malware and is not at all related to network management and cybersecurity firm Cloudflare. Since the malware used the cloudflare[.]solutions domain to initially spread the malware, it has been given this name.

The malware was updated in November to include a keylogger. The keylogger behaves the same way as in previous campaigns and can steal both the site's administrator login page and the website's public facing frontend.

If the infected WordPress site is an e-commerce platform, hackers can steal much more valuable data, including payment card data. If hackers manage to steal the admin credentials, they can just log into the site without relying upon a flaw to break into the site.

The cloudflare[.]solutions domain was taken down last month, but criminals behind the campaign registered new domains to host their malicious scripts that are eventually loaded onto WordPress sites.

The new web domains registered by hackers include cdjs[.]online (registered on December 8th), cdns[.]ws (on December 9th), and msdns[.]online (on December 16th).

Just like in the previous cloudflare[.]solutions campaign, the cdjs[.]online script is injected into either a WordPress database or the theme's functions.php file. The cdns[.]ws and msdns[.]online scripts are also found injected into the theme's functions.php file.

The number of infected sites for cdns[.]ws domain include some 129 websites, and 103 websites for cdjs[.]online, according to source-code search engine PublicWWW, though over a thousand sites were reported to have been infected by the msdns[.]online domain.

Researchers said it's likely that the majority of the websites have not been indexed yet.

"While these new attacks do not yet appear to be as massive as the original Cloudflare[.]solutions campaign, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection. It’s possible that some of these websites didn't even notice the original infection," Sucuri researchers concluded.

If your website has already been compromised with this infection, you will require to remove the malicious code from theme's functions.php and scan wp_posts table for any possible injection.

Users are advised to change all WordPress passwords and update all server software including third-party themes and plugins just to be on the safer side.

The year 2017 saw some of the biggest cybersecurity incidents—from high profile data breaches in Equifax and Uber impacting millions of users to thousands of businesses and millions of customers being affected by the global ransomware threats like WannaCry and NotPetya.

The year ended, but it did not take away the airwaves of cybersecurity incidents, threats, data breaches, and hacks.

The scope and pace of such cybersecurity threats would rise with every passing year, and with this rise, more certified cybersecurity experts and professionals would be needed by every corporate and organisation to prevent themselves from hackers and cyber thieves.

That's why jobs in the cybersecurity field have gone up 80 percent over the past three years than any other IT-related job. So, this is the right time for you to consider a new career as a cybersecurity professional.

But before getting started, you need to gain some valuable cyber security certifications that not only boost your skills but also verify your knowledge and credibility as a cybersecurity expert.

This online training course provides you with the best-selling study materials to pass the CISA, CISM, and CISSP certification exams. It dives deep into the most proven and practical methods for protecting vulnerable networks in any business environment.

From the fundamentals of cryptography and encryption to the security holes in computer networks and mobile apps, this online course will help you learn about information security audits, assurance, guidelines, standards, and best cybersecurity practices in the industry.

At the end of this course, you would develop the expertise to manage, design, oversee, and assess an enterprise's information security, as well as maintain a secure business environment using globally approved Information Security standards.

The CISA certification is renowned across the world as the standard of achievement for those who audit, monitor, access and control information technology and business systems.

Being CISA-certified showcases candidates for their audit experience, skills, and knowledge, and signifies that you are an expert in managing vulnerabilities, instituting controls and ensuring compliance within the enterprise.

The demand for skilled information security managers is on the rise, and CISM is the globally accepted certification standard of achievement in this area.

The uniquely management-focused CISM certification ensures you are re-equipped with the best practices in the IT industry and recognises your expertise to manage, design, and oversee and assess an enterprise's information security.

So, to Sign-up for the Cybersecurity Certification Mega Bundle course, click on this link and get your online course now.

Buying this course will not be a wrong decision. In case, you are not satisfied with this course for any reason, our training partner also provides a 15-day money back guarantee and will issue a refund.

Dubbed Private Conversations, the new feature which is about to be introduced in Skype will offer end-to-end encryption for audio calls, text, and multimedia messages like videos and audio files.

"Skype Private Conversations give you enhanced security through end-to-end encryption with an additional layer of security for conversations between you and your friends and family," the company announced.

"Private Conversations can only be between you and one other contact. This is not supported in groups."

How to Start Skype End-to-End Encrypted Calls and Chats

Private Conversations is already available to the Skype Insider program—a platform that allows Skype users to test new features before they rolled out to the rest of its over 300 million of users worldwide.

To initiate a new secure communication with your Skype contact, you need to tap or click on the (+) icon, select 'New Private Conversation' and then select the contact you would like to start the secure communication with.

A Private Conversation will have a lock icon next to your Skype contact's name. Preview messages from Private Conversations will not appear in the chat list or notifications.

Unlike WhatsApp, end-to-end encryption feature is not enabled by default in Skype and users need to select 'New Private Conversation' from the app's "Compose" menu, or from another user's profile to initiate a secure communication—it's like Facebook Messenger's Secret Conversations, which is also based on of Signal.

Unfortunately, Private Conversations also doesn't currently support video calling, but this is secured by the standard encryption that Microsoft already provides with its Skype service.

Also, even with Private Conversations enabled, Skype will still be able to access some information (metadata) about your secure communications, like when you initiate them, and how long the conversation last.

If you think that only CPU updates that address this year's major security flaws—Meltdown and Spectre—are the only ones you are advised to grab immediately, there are a handful of major security flaws that you should pay attention to.

Microsoft has issued its first Patch Tuesday for 2018 to address 56 CVE-listed flaws, including a zero-day vulnerability in MS Office related that had been actively exploited by several threat groups in the wild.

Sixteen of the security updates are listed as critical, 38 are rated important, one is rated moderate, and one is rated as low in severity. The updates address security flaws in Windows, Office, Internet Explorer, Edge, ChakraCore, ASP.NET, and the .NET Framework.

The zero-day vulnerability (CVE-2018-0802), described by Microsoft as a memory corruption flaw in Office, is already being targeted in the wild by several threat actor groups in the past few months.

The vulnerability, discovered by several researchers from Chinese companies Tencent and Qihoo 360, ACROS Security's 0Patch Team, and Check Point Software Technologies, can be exploited for remote code execution by tricking a targeted user into opening a specially crafted malicious Word file in MS Office or WordPad.

According to the company, this security flaw is related to CVE-2017-11882—a 17-year-old vulnerability in the Equation Editor functionality (EQNEDT32.EXE), which Microsoft addressed in November.

When researchers at 0Patch were analysing CVE-2017-11882, they discovered a new, related vulnerability (CVE-2018-0802). More details of CVE-2018-0802 can be found in a blog post published by Check Point.

Besides CVE-2018-0802, the company has addressed nine more remote code execution and memory disclosure vulnerabilities in MS Office.

A spoofing vulnerability (CVE-2018-0819) in Microsoft Outlook for MAC, which has been listed as publicly disclosed (Mailsploit attack), has also addressed by the company. The vulnerability does not allow some versions Outlook for Mac to handle the encoding and display of email addresses properly, causing antivirus or anti-spam scanning not to work as intended.

Microsoft also addressed a certificate validation bypass vulnerability (CVE-2018-0786) in .NET Framework (and .NET Core) that could allow malware authors to show their invalid certificates as valid.

"An attacker could present a certificate that is marked invalid for a specific use, but the component uses it for that purpose," describes Microsoft. "This action disregards the Enhanced Key Usage taggings."

The company has also patched a total of 15 vulnerabilities in the scripting engine used by Microsoft Edge and Internet Explorer.

All these flaws could be exploited for remote code execution by tricking a targeted user into opening a specially-crafted webpage that triggers a memory corruption error, though none of these has been exploited in the wild yet.

Meanwhile, Adobe has patched a single, out of bounds read flaw (CVE-2018-4871) this month that could allow for information disclosure, though no active exploits have been seen in the wild.

Users are strongly advised to apply security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.

For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Remember how some cybercriminals shut down most of Washington D.C. police's security cameras for four days ahead of President Donald Trump's inauguration earlier this year?

Just a few days after the incident, British authorities arrested two people in the United Kingdom, identified as a British man and a Swedish woman, both 50-year-old, on request of U.S. officials.

But now US federal court affidavit has revealed that two Romanian nationals were behind the attack that hacked into 70% of the computers that control Washington DC Metropolitan Police Department's surveillance camera network in January this year, CNN reports.

The two suspects—Mihai Alexandru Isvanca, 25, and Eveline Cismaru, 28—were arrested in Bucharest on December 15 on charges of conspiracy to commit wire fraud and various forms of computer fraud.

According to the criminal complaint unsealed in Washington, the pair hacked 123 of the Metropolitan Police Department's 187 outdoor surveillance cameras used to monitor public areas in D.C. by infecting computers with ransomware in an effort to extort money.

Ransomware is an infamous piece of malicious software that has been known for locking up computer files and then demanding a ransom (usually in Bitcoins) to help victims unlock their files.

The cyber attack occurred just days before the inauguration of President Donald Trump and lasted for almost four days, eventually leaving the CCTV cameras out of recording anything between 12 and 15 January 2017.

Instead of fulfilling ransom demands, the DC police department took the storage devices offline, removed the infection and rebooted the systems across the city, ensuring that the surveillance camera system was secure and fully operational.

"This case was of the highest priority due to its impact on the Secret Service’s protective mission and its potential effect on the security plan for the 2017 Presidential Inauguration," the Justice Department said.

"The investigation revealed no evidence that any person’s physical security was threatened or harmed due to the disruption of the MPD surveillance cameras."

The affidavit, dated December 11, mentions the defendants used two types of cryptocurrency ransomware variants—Cerber and Dharma. Other evidence also revealed a scheme to distribute ransomware by email to at least 179,000 email addresses.

"According to the complaint, further investigation showed that the two defendants, Isvanca and Cismaru, participated in the ransomware scheme using the compromised MPD surveillance camera computers, among others," the Justice Department said.

"The investigation also identified certain victims who had received the ransomware or whose servers had been accessed during the scheme."

However, it is still unclear whether the pair arrested was solely behind the attack or were part of a more comprehensive cybercriminal network.

While Isvanca remains in custody in Romania, Cismaru is under house arrest pending further legal proceedings, according to the Justice Department.

If extradited and convicted, the Romanian defendants could face a maximum of 20 years in prison.

Pavel Lerner, a prominent Russian blockchain expert and known managing director of one of the major crypto-exchanges EXMO, has allegedly been kidnapped by "unknown" criminals in the Ukranian capital of Kiev.

According to Ukraine-based web publication Strana, Lerner, 40-year-old citizen of Russia, was kidnapped on December 26 when he was leaving his office in the center of town (located on the Stepan Bandera Avenue).

The information comes from an anonymous source in Ukrainian law enforcement agencies, though multiple investigations are currently underway to find out why and by whom Lerner was kidnapped.

Lerner is a recognized IT specialist in Ukraine who led a number of startups related to blockchain technology development and mining operations.

Lerner is also the managing director of EXMO, a major UK-based cryptocurrency exchange founded in 2013 and well-known with Russians for accepting ruble payments.

Law enforcers in Kiev have begun an investigation and are currently conducting search operation, working out all possible leads in the case which is described as the kidnapping.

EXMO's representatives confirmed media reports in a statement to a local crypto journal BitNovosti and appealed for any information that could lead to the finding of Lerner.

The company representatives also assured its customers that EXMO operations were not affected by the incident and that Lerner did not have direct access to any cryptocurrency account or other personal data.

"We are doing everything possible to speed up the search of Pavel Lerner. Any information regarding his whereabouts is very much appreciated," PR-department of EXMO said.

"Despite the situation, the exchange is working as usual. We also want to stress that nature of Pavel’s job at EXMO doesn’t assume access either to storages or any personal data of users. All users funds are absolutely safe."

Lerner case has been considered to be yet another case involving a Russian national with cryptocurrency background.

In July this year, Alexander Vinnik, a 38-year-old Russian citizen and operator of cryptocurrency exchange BTC-e, was detained in Northern Greece at the request of US law enforcement authorities. The Greece court in October also ruled to extradite Vinnik to the United States.

The US authorities accused Vinnik of crimes related to the hack of Mt. Gox, which was shut down in 2014 following a massive series of mysterious robberies, which totaled at least $375 million in Bitcoin.

Buying popular plugins with a large user-base and using it for effortless malicious campaigns have become a new trend for bad actors.

One such incident happened recently when the renowned developer BestWebSoft sold a popular Captcha WordPress plugin to an undisclosed buyer, who then modified the plugin to download and install a hidden backdoor.

In a blog post published on Tuesday, WordFence security firm revealed why WordPress recently kicked a popular Captcha plugin with more than 300,000 active installations out of its official plugin store.

While reviewing the source code of the Captcha plugin, WordFence folks found a severe backdoor that could allow the plugin author or attackers to remotely gain administrative access to WordPress websites without requiring any authentication.

The plugin was configured to automatically pull an updated "backdoored" version from a remote URL — https[://]simplywordpress[dot]net/captcha/captcha_pro_update.php — after installation from the official Wordpress repository without site admin consent.

This backdoor code was designed to create a login session for the attacker, who is the plugin author in this case, with administrative privileges, allowing them to gain access to any of the 300,000 websites (using this plugin) remotely without requiring any authentication.

Also, the modified code pulled from the remote server is almost identical to the code in legitimate plugin repository, therefore "triggering the same automatic update process removes all file system traces of the backdoor," making it look as if it was never there and helping the attacker avoid detection.

The reason behind the adding a backdoor is unclear at this moment, but if someone pays a handsome amount to buy a popular plugin with a large user base, there must be a strong motive behind.

In similar cases, we have seen how organized cyber gangs acquire popular plugins and applications to stealthy infect their large user base with malware, adware, and spyware.

While figuring out the actual identity of the Captcha plugin buyer, WordFence researchers found that the simplywordpress[dot]net domain serving the backdoor file was registered to someone named "Stacy Wellington" using the email address "scwellington[at]hotmail.co.uk."

Using reverse whois lookup, the researchers found a large number of other domains registered to the same user, including Convert me Popup, Death To Comments, Human Captcha, Smart Recaptcha, and Social Exchange.

What's interesting? All of the above-mentioned domains booked under the user contained the same backdoor code that the WordFence researchers found in Captcha.

WordFence has teamed up with WordPress to patch the affected version of Captcha plug-in and blocked the author from publishing updates, so websites administrators are highly recommended to replace their plugin with the latest official Captcha version 4.4.5.

WordFence has promised to release in-depth technical details on how the backdoor installation and execution works, along with a proof-of-concept exploit after 30 days so that admins get enough time to patch their websites.

Just last week, researchers from AdGuard discovered that some popular video streaming and ripper sites including openload, Streamango, Rapidvideo, and OnlineVideoConverter hijacks CPU cycles from their over hundreds of millions of visitors for mining Monero cryptocurrency.

Now, researchers from Moscow-based cyber security firm Kaspersky Lab have uncovered a new strain of Android malware lurking in fake anti-virus and porn applications, which is capable of performing a plethora of nefarious activities—from mining cryptocurrencies to launching Distributed Denial of Service (DDoS) attacks.

Dubbed Loapi, the new Android Trojan can perform so many more malicious activities at a time that can exploit a handset to the extent that within just two days of infection it can cause the phone's battery to bulge out of its cover.

Described as a "jack-of-all-trades" by the researchers, Loapi has a modular architecture that lets it conduct a variety of malicious activities, including mining the Monero cryptocurrency, launching DDoS attacks, bombarding infected users with constant ads, redirecting web traffic, sending text messages, and downloading and installing other apps.

Loapi Destroyed An Android Phone In Just 2 Days

When analyzed a Loapi sample, Kaspersky's researchers discovered that the malware mines the Monero cryptocurrency so intensely that it destroyed an Android phone after two days of testing, causing the battery to bulge and deforming the phone cover.

According to researchers, the cybercriminals behind Loapi are the same responsible for the 2015 Android malware Podec. They are distributing the malware through third-party app stores and online advertisements that pose as apps for "popular antivirus solutions and even a famous porn site."

Upon installation, Loapi forces the user to grant it 'device administrator' permissions by looping a pop-up until a victim clicks yes, which gives the malicious app the same power over your smartphone that you have.

This highest level privilege on a device would also make the Loapi malware ideal for user espionage, though this capability is not yet present in the malware, the Kaspersky researchers think this can be included in the future.

Loapi Malware Aggressively Fights to Protect Itself

Researchers also said the malware "aggressively fights any attempts to revoke device manager permissions" by locking the screen and closing phone windows by itself.

Loapi communicates with the module-specific command and control (C&C) servers, including advertisement module, SMS module and mining module, web crawler, and proxy module, for different functions to be performed on the infected device.

By connecting with one of the above-mentioned C&C servers, Loapi sends a list of legitimate antivirus apps that pose it danger and claims the real app as malware and urges the user to delete it by showing the pop-up in a loop until the user finally deletes the app.

"Loapi is an interesting representative from the world of malicious Android apps. It’s creators have implemented almost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services, send SMS messages to any number, generate traffic and make money from showing advertisements, use the computing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet on behalf of the user/device," the researchers concluded.

Fortunately, Loapi failed to make its ways to Google Play Store, so users who stick to downloads from the official app store are not affected by the malware. But you are advised to remain vigilant even when downloading apps from Play Store as malware often makes its ways to infect Android users.

Net neutrality is DEAD—3 out of 5 federal regulators voted Thursday to hand control of the future of the Internet to cable and telecommunication companies, giving them powers to speed up service for websites they favor or slow down others.

As proposed this summer, the US Federal Communications Commission (FCC) has rolled back Net Neutrality rules that require Internet Service Providers (ISPs) to treat all services and websites on the Internet equally and prohibit them from blocking sites or charging for higher-quality service.

This action repeals the FCC's 2015 Open Internet Order decision taken during the Obama administration.

What is Net Neutrality and Why Is It Important?

Net Neutrality is simply Internet Freedom—Free, Fast and Open Internet for all.

In other words, Net Neutrality is the principle that governs ISPs to give consumers access to all and every content on an equal basis, treating all Internet traffic equally.

Today, if there's something that makes everyone across the world 'Equal,' it is the Internet.

Equality over the Internet means, all ISPs have to treat major websites like Facebook and Google in the same way as someone's local shop website, and the wealthiest man in the world has the same rights to access the Internet as the poorer.

This is what "Net Neutrality" aims at.

Here's Why the FCC Repeals Net Neutrality Rules

The FCC Chairman for the Trump administration, Ajit Pai, who has openly expressed his views against net neutrality, was previously quoted as saying that Net Neutrality was "a mistake."

Pai has previously argued that the 2015 regulations had discouraged internet providers from investing in their networks, as well as slowed the expansion of internet access.

On Thursday, the FCC's two Democrats voted to object the decision to repeal Net Neutrality, and the three Republican members, including Chairman Pai, Commissioner Brendan Carr, and Commissioner Mike O'Rielly, voted to overturn protections put in place in 2015.

Here's what all the three Republicans said in their remarks about their decision to repeal Net Neutrality:

"Prior to the FCC's 2015 decision, consumers and innovators alike benefitted from a free and open internet. This is not because the government imposed utility-style regulation. It didn't. This is not because the FCC had a rule regulating internet conduct. It had none. Instead through Republican and Democratic administrations alike, including the first six years of the Obama administration, the FCC abided by a 20-year bipartisan consensus that the government should not control or heavily regulate internet access," said Commissioner Carr.

"I sincerely doubt that legitimate businesses are willing to subject themselves to a PR nightmare for attempting to engage in blocking, throttling, or improper discrimination. It is simply not worth the reputational cost and potential loss of business," said Commissioner O'Rielly.

"How does a company decide to restrict someone's accounts or block their tweets because it thinks their views are inflammatory or wrong? How does a company decide to demonetize videos from political advocates without any notice?...You don't have any insight into any of these decisions, and neither do I, but these are very real actual threats to an open internet," said Chairman Pai.

Here's How the Internet & Tech Firms Reacted

The response from the tech industry was swift and loud and predictable. The industry isn't happy with what is turning out to be the Trump administration's biggest regulatory move yet.

"We are incredibly disappointed that the FCC voted this morning – along partisan lines – to remove protections for the open internet. This is the result of broken processes, broken politics, and broken policies. As we have said over and over, we'll keep fighting for the open internet, and hope that politicians decide to protect their constituents rather than increase the power of ISPs," Mozilla said in a statement.

"Today's decision from the Federal Communications Commission to end net neutrality is disappointing and harmful. An open internet is critical for new ideas and economic opportunity – and internet providers shouldn't be able to decide what people can see online or charge more for certain websites," Sheryl Sandberg said, Chief Operating Officer of Facebook.

"We're disappointed in the decision to gut #NetNeutrality protections that ushered in an unprecedented era of innovation, creativity & civic engagement. This is the beginning of a longer legal battle. Netflix stands w/ innovators, large & small, to oppose this misguided FCC order," Netflix tweeted.

Obviously, Internet providers are more likely to strike valuable deals with large, established services and websites than relatively unknown companies or startups, which will be hit hardest by the repeal.

With no surprise, ISPs including Comcast, Verizon, and AT&T have welcomed the new rules, saying they will not block or throttle any legal content but may engage in paid prioritization.

Since the commission will take a few weeks to make final adjustments to the new rules, you will not see any potential change right away.

What Next? Can Net Neutrality Be Saved?

Obviously, you cannot do anything overnight to repeal the decision.

Reportedly, attorney generals from across the country and consumer advocacy groups are considering suing the FCC in an attempt to reverse Thursday's repeal of net neutrality rules.

To overturn the FCC's order, critics and internet activists are also going to push for Congress to step in and pass a resolution of disapproval using the Congressional Review Act.

"This fight isn't over. With our allies and our users, we will turn to Congress and the courts to fix the broken policies," Mozilla said.

"We're ready to work with members of Congress and others to help make the internet free and open for everyone," Sheryl Sandberg said.

"We will continue our fight to defend the open Internet and reverse this misguided decision," Twitter said.

The FCC's repeal of net neutrality will take effect 60 days after publication in the Federal Register, which doesn't happen immediately and could take six weeks or even more after the FCC vote.

Once it become law, the repeal will return everything to the state it was before 2015.

Here we are with our weekly roundup, briefing this week's top cybersecurity threats, incidents, and challenges, just in case you missed any of them.

Last week has been very short with big news from the theft of over 4,700 Bitcoins from the largest cryptocurrency mining marketplace to the discovery of a new malware evasion technique that works on all versions of Microsoft's Windows operating system.

Besides this, the newly discovered Janus vulnerability in the Android operating system and a critical remote code execution (RCE) vulnerability in Malware Protection Engine (MPE) for which Microsoft released an emergency patch made their places in our weekly roundup.

I recommend you to read the entire news (just click 'Read More' because there's some valuable advice in there as well).

So, here we go with the list of this Week's Top Stories:

Process Doppelgänging: New Malware Evasion Technique

A team of researchers, who previously discovered AtomBombing attack, recently revealed a new fileless code injection technique that could help malware authors defeat most of the modern anti-virus solutions and forensic tools.

Dubbed Process Doppelgänging, the method takes advantage of a built-in Windows function and an undocumented implementation of Windows process loader, and works on all versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10.

To know How Process Doppelgänging attack works and why Microsoft refused to fix it, Read More.

A newly discovered vulnerability, dubbed Janus, in Android could let attackers modify the code of Android apps without affecting their signatures, eventually allowing them to distribute malicious update for the legitimate apps, which looks and works same as the original apps.

Although Google has patched the vulnerability this month, a majority of Android users would still need to wait for their device manufacturers to release custom updates for them, apparently leaving a large number of Android users vulnerable to hackers for next few months.

To know more about the vulnerability, how it works and if you are affected, Read More.

Pre-Installed Keylogger Found On Over 460 HP Laptop Models

Once again, Hewlett-Packard (HP) was caught pre-installing a keylogger in more than 460 HP Notebook laptop models that could allow hackers to record your every keystroke and steal sensitive data, including passwords, account information, and credit card details.

When reported last month, HP acknowledged the presence of the keylogger, saying it was actually "a debug trace" which was left accidentally, and affected users can install updated Synaptics touchpad driver to remove it manually.

To know how to check if your HP laptop is vulnerable to this issue and download compatible drivers, Read More.

New Email Spoofing Flaw Affects Over 30 Popular Email Clients

Researchers discovered a collection of vulnerabilities in more than 30 popular email client applications that could allow anyone to send spoofed emails bypassing anti-spoofing mechanisms.

To watch the PoC video released by the researchers and know more about the vulnerabilities, Read More.

Largest Crypto-Mining Exchange Hacked; Over $80 Million in Bitcoin Stolen

Last week was the golden week in Bitcoin's history when the price of 1 BTC touched almost $19,000, but the media hype about the bitcoin price diminishes the hack of the largest Bitcoin mining marketplace.

The service went offline (and is still offline at the time of writing this article) with a post on its website, confirming that "there has been a security breach involving NiceHash website," and that hackers stole the contents of the NiceHash Bitcoin wallet.

Microsoft Issues Emergency Windows Security Update

A week before its December Patch Tuesday updates, Microsoft released an emergency security patch to address a critical remote code execution vulnerability in its Malware Protection Engine (MPE) that could allow an attacker to take full control of a victim's PC.

Security Flaw Left Major Banking Apps Vulnerable to MiTM Attacks Over SSL

Scientists discovered a critical implementation flaw in major mobile banking apps—for both iOS and Android—that left banking credentials of millions of users vulnerable to man-in-the-middle attacks.

Attackers, connected to the same network as the victim, could have leveraged vulnerable banking apps to intercept SSL connection and retrieve the user's banking credentials, like usernames and passwords/pincodes—even if the apps are using SSL pinning feature.

To know how attackers could have exploited this vulnerability to take over your bank accounts, Read More.

Massive Data Breach Exposes Personal Data On 31 Million Users

While downloading apps on their smartphones, most users may not realize how much data they collect on them, and app developers take advantage of this ignorance, wiping off more data on their users than they actually require for the working of their app.

But what if this data falls into the wrong hand?

The same happened last week, when a massive trove of personal data (over 577 GB) belonging to more than 31 million users of the famous virtual keyboard app, called AI.type, leaked online for anyone to download without requiring a password.

To know more about the data breach incident and what information users lost, Read More.

The vulnerability was discovered by security researchers at CheckPoint, who also released a proof of concept (PoC) attack, dubbed ParseDroid, along with a video to demonstrate how the attack works.

To watch the video and know how this vulnerability can be exploited, Read More.

Uber Paid Florida Hacker $100,000 to Keep Data Breach News Secret

It turns out that a 20-year-old Florida man, with the help of another, was responsible for the massive Uber data breach in October 2016 and was paid an enormous amount by the ride-hailing company to destroy the data and keep the data breach incident secret.

Last week, Uber announced that a massive data breach last year exposed personal data of 57 million customers and drivers and that it paid two hackers $100,000 in ransom to destroy the information.

To know more about the data breach at Uber and the hackers, Read More.